Analysis
-
max time kernel
63s -
max time network
66s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
16-11-2024 17:52
Static task
static1
Behavioral task
behavioral1
Sample
FixedBootstrapper1.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
FixedBootstrapper1.exe
-
Size
4.8MB
-
MD5
12d7d6f7372db4da1e1242bd2efc8ae8
-
SHA1
fcde71dec007c4ad3656eb9ab2ff9d4a066e6f1b
-
SHA256
e4d875f0cbd3ec785d08862382e4c139496d78d54daf985e78a54883ef0fa8dd
-
SHA512
d07ce82badc014650a0464daa1a315dc6a51be4b3495738c9be0c08f81980f37e6d6b8baed32eb6227bee9a4c062a87f582b0333391ef59b413ef62ae1b6b777
-
SSDEEP
98304:0xsTP26lnPgfjAyAzffPJFSZ0kZP2avl16aEQFluJvY/b0xtR:0xsTuoPgfVAznPkb3VLalY/bi
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5476 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5464 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3368 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3336 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5636 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6024 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3472 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5848 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4772 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4696 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5672 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5184 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3540 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 1528 schtasks.exe 101 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 1528 schtasks.exe 101 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smartscreen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smartscreen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smartscreen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontsvc.exe -
resource yara_rule behavioral1/files/0x0003000000042929-23.dat dcrat behavioral1/files/0x002a0000000449c2-63.dat dcrat behavioral1/files/0x0003000000043eea-843.dat dcrat behavioral1/memory/1452-845-0x0000000000200000-0x00000000004A8000-memory.dmp dcrat behavioral1/files/0x00290000000453e7-886.dat dcrat behavioral1/files/0x00290000000453ca-894.dat dcrat behavioral1/files/0x00290000000453ce-902.dat dcrat behavioral1/files/0x002d0000000453d1-910.dat dcrat behavioral1/files/0x00290000000453d6-918.dat dcrat behavioral1/files/0x00290000000453d9-926.dat dcrat behavioral1/files/0x00290000000453de-934.dat dcrat behavioral1/memory/1168-948-0x0000000000C60000-0x0000000000F08000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation fontsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation FixedBootstrapper1.exe Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation DCRatBuild.exe Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation Bootstrapper (1).exe Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation coloader.bat Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation BootstrapperV2.exe Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 8 IoCs
pid Process 3188 Bootstrapper (1).exe 3772 DCRatBuild.exe 3872 BootstrapperV2.exe 1468 coloader.bat 1892 RezWareUi.exe 1452 fontsvc.exe 5420 fontsvc.exe 1168 smartscreen.exe -
Loads dropped DLL 1 IoCs
pid Process 1892 RezWareUi.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DCRatBuild = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DCRatBuild.exe" FixedBootstrapper1.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smartscreen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smartscreen.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Mail\RCX2E19.tmp fontsvc.exe File opened for modification C:\Program Files\Windows Mail\smartscreen.exe fontsvc.exe File created C:\Program Files\Microsoft Office\Office16\wininit.exe fontsvc.exe File created C:\Program Files\ModifiableWindowsApps\Idle.exe fontsvc.exe File created C:\Program Files\Windows Mail\smartscreen.exe fontsvc.exe File opened for modification C:\Program Files\Microsoft Office\Office16\wininit.exe fontsvc.exe File opened for modification C:\Program Files\Windows Mail\RCX2DAB.tmp fontsvc.exe File created C:\Program Files\Microsoft Office\Office16\56085415360792 fontsvc.exe File created C:\Program Files\Windows Mail\2afe4ed40d5a86 fontsvc.exe File opened for modification C:\Program Files\Microsoft Office\Office16\RCX25F4.tmp fontsvc.exe File opened for modification C:\Program Files\Microsoft Office\Office16\RCX2672.tmp fontsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Vss\Writers\Application\RCX2BA6.tmp fontsvc.exe File opened for modification C:\Windows\Vss\Writers\Application\RuntimeBroker.exe fontsvc.exe File created C:\Windows\LanguageOverlayCache\SppExtComObj.exe fontsvc.exe File created C:\Windows\Vss\Writers\Application\RuntimeBroker.exe fontsvc.exe File created C:\Windows\Vss\Writers\Application\9e8d7a4ca61bd9 fontsvc.exe File opened for modification C:\Windows\Vss\Writers\Application\RCX2B09.tmp fontsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language coloader.bat Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DCRatBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BootstrapperV2.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings DCRatBuild.exe Key created \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings coloader.bat Key created \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings fontsvc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3540 schtasks.exe 2068 schtasks.exe 3320 schtasks.exe 5464 schtasks.exe 6024 schtasks.exe 4348 schtasks.exe 4772 schtasks.exe 5184 schtasks.exe 5476 schtasks.exe 2100 schtasks.exe 3472 schtasks.exe 3336 schtasks.exe 1112 schtasks.exe 2284 schtasks.exe 2632 schtasks.exe 1416 schtasks.exe 4696 schtasks.exe 5672 schtasks.exe 3368 schtasks.exe 5636 schtasks.exe 5848 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1452 fontsvc.exe 1452 fontsvc.exe 1452 fontsvc.exe 1452 fontsvc.exe 1452 fontsvc.exe 1452 fontsvc.exe 1452 fontsvc.exe 1452 fontsvc.exe 1452 fontsvc.exe 1452 fontsvc.exe 1452 fontsvc.exe 1452 fontsvc.exe 1168 smartscreen.exe 1168 smartscreen.exe 1168 smartscreen.exe 1168 smartscreen.exe 1168 smartscreen.exe 1168 smartscreen.exe 1168 smartscreen.exe 1168 smartscreen.exe 1168 smartscreen.exe 1168 smartscreen.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3872 BootstrapperV2.exe Token: SeDebugPrivilege 1452 fontsvc.exe Token: SeDebugPrivilege 5420 fontsvc.exe Token: SeDebugPrivilege 1168 smartscreen.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3844 notepad.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1680 wrote to memory of 3188 1680 FixedBootstrapper1.exe 89 PID 1680 wrote to memory of 3188 1680 FixedBootstrapper1.exe 89 PID 1680 wrote to memory of 3772 1680 FixedBootstrapper1.exe 92 PID 1680 wrote to memory of 3772 1680 FixedBootstrapper1.exe 92 PID 1680 wrote to memory of 3772 1680 FixedBootstrapper1.exe 92 PID 3772 wrote to memory of 1248 3772 DCRatBuild.exe 93 PID 3772 wrote to memory of 1248 3772 DCRatBuild.exe 93 PID 3772 wrote to memory of 1248 3772 DCRatBuild.exe 93 PID 3188 wrote to memory of 3872 3188 Bootstrapper (1).exe 96 PID 3188 wrote to memory of 3872 3188 Bootstrapper (1).exe 96 PID 3188 wrote to memory of 3872 3188 Bootstrapper (1).exe 96 PID 3188 wrote to memory of 1468 3188 Bootstrapper (1).exe 98 PID 3188 wrote to memory of 1468 3188 Bootstrapper (1).exe 98 PID 3188 wrote to memory of 1468 3188 Bootstrapper (1).exe 98 PID 1468 wrote to memory of 4812 1468 coloader.bat 99 PID 1468 wrote to memory of 4812 1468 coloader.bat 99 PID 1468 wrote to memory of 4812 1468 coloader.bat 99 PID 3872 wrote to memory of 1892 3872 BootstrapperV2.exe 104 PID 3872 wrote to memory of 1892 3872 BootstrapperV2.exe 104 PID 1248 wrote to memory of 4864 1248 WScript.exe 110 PID 1248 wrote to memory of 4864 1248 WScript.exe 110 PID 1248 wrote to memory of 4864 1248 WScript.exe 110 PID 4864 wrote to memory of 1452 4864 cmd.exe 112 PID 4864 wrote to memory of 1452 4864 cmd.exe 112 PID 4812 wrote to memory of 4888 4812 WScript.exe 113 PID 4812 wrote to memory of 4888 4812 WScript.exe 113 PID 4812 wrote to memory of 4888 4812 WScript.exe 113 PID 4888 wrote to memory of 5420 4888 cmd.exe 118 PID 4888 wrote to memory of 5420 4888 cmd.exe 118 PID 1452 wrote to memory of 3812 1452 fontsvc.exe 137 PID 1452 wrote to memory of 3812 1452 fontsvc.exe 137 PID 3812 wrote to memory of 2620 3812 cmd.exe 139 PID 3812 wrote to memory of 2620 3812 cmd.exe 139 PID 3812 wrote to memory of 1168 3812 cmd.exe 140 PID 3812 wrote to memory of 1168 3812 cmd.exe 140 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smartscreen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smartscreen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smartscreen.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FixedBootstrapper1.exe"C:\Users\Admin\AppData\Local\Temp\FixedBootstrapper1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\Bootstrapper (1).exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper (1).exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.exe"C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892
-
-
-
C:\Users\Admin\AppData\Local\Temp\coloader.bat"C:\Users\Admin\AppData\Local\Temp\coloader.bat"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Chainperf\v4uTzNmDRk.vbe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Chainperf\cgzjncvQyIdVX7ls38qYv.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Chainperf\fontsvc.exe"C:\Chainperf\fontsvc.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5420
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Chainperf\hTUnoY.vbe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Chainperf\j2XzyEby.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Chainperf\fontsvc.exe"C:\Chainperf\fontsvc.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z0umrEhMBq.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2620
-
-
C:\Program Files\Windows Mail\smartscreen.exe"C:\Program Files\Windows Mail\smartscreen.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1168
-
-
-
-
-
-
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
- Suspicious use of FindShellTrayWindow
PID:3844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office16\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\Application\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\Application\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\smartscreen.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smartscreen" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\smartscreen.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\smartscreen.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Chainperf\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Chainperf\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Chainperf\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Chainperf\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Chainperf\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Chainperf\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AccountPictures\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD528bb43cb9b8ebbb3c99a835f79fbe54b
SHA1e4c5eb19d1869b3b697ea993d0c161406ad2e5da
SHA256709bd0907308ceb5e14e480e6c3fd68eee02578c780dc930e6510a4d86f10ff3
SHA5122d824f5fa7b4121b244d9dc63aae3c60ecfef9eb7de1c3b36c9e174c834ec3053e1f30c453bd403e3c64495bdf5e5f15dd68c239271ccc190c3d9d3193dd9ff7
-
Filesize
2.6MB
MD5b43eb1570f1db9f4d0a87879b974437c
SHA18ba1be5e82f452d464bc8b096e2861b223163c7c
SHA256467b59a8744100fa4992ea3f7fa40de43338d86fa2008df392b7db19a8d90c25
SHA512b90dd28b8c783122e24970409d37efa31c2570e02f84d4e4d2940183b9c1806067b34b60b41cced6d4f86fa7e7d3e63ecd4a5ed93b3d167ca3007e571e9b761a
-
Filesize
195B
MD514d81562e8d7dbc0a2a134a5c9628702
SHA1ac6608ff041dc83244a6d690361789500e218278
SHA2568c5c776f71fe80369caddb3052aff6271febba8f32db5b79fe09e35cd117bb0b
SHA5125ca0894dad3264984aabeb27b376e4ee20a0cf630b6381a6ebb335fd79a4f5a745f86c961a2e00eb9aef31ff88c25badb965772b96ad7e78e492277550df61d7
-
Filesize
26B
MD54920cb6044ceea5854ff65872d50650e
SHA163c8c0362d9846b78682f4a6218b3f462847122d
SHA256926ec2c6e83a5ff06b38d0beea444dfbf461cef3f82d91ba617535727501e09e
SHA512a5b502e29bf5db4c731d2a40b0553a7247f7d61a88ebf9cc07d55741b8f529c3c8f3634789557a19141c3f9121f27f0d568cfac48a8b13ef6ede34bb8568095f
-
Filesize
2.6MB
MD561ab016a26c52471188084adc95a9245
SHA10cd2de1499c0fba3ce903d202c526b3610e2dc19
SHA256292060c9a6a48f7954396e58d6084c881012dd492a2cc7da6d3671ed808f43ba
SHA5122962e05479e6e4c2bac75fce79a825f6ed8bdea4d6f077e02a43ae892c093d4396d8937952bcbdec90a2e0fda98718228fac665f2d07cf913eb5b97918667062
-
Filesize
208B
MD5fee6b802bc54e4017d5170f8f2f32d7b
SHA1282cffc756bb4ef62262f28cc3a9894285b2fbdb
SHA25626b35277127596094f3b7376634ea98b8623f346894fec1581c648649d69bb03
SHA512dc78cff3abb518ca749d6c79f895cb0f1a7c73a2cd8d40d6fa01cb34c4076411c7f62f0f32bdf103cc590ed09195159dce9f1c241b38c6f966cc197d71bb0723
-
Filesize
2.6MB
MD58a4df2057238f359240dc30946171255
SHA1e18717f6bbba3065a0d69808781cff92f22a6dc3
SHA2567f743f9887dcbd380d26b93d98d76709e72014cc6ecc639d21f67ebab04608db
SHA512515c32bb52d903fda727aeb25d529c5b0ed3f8a7a1f4d740fc6189d9748280ae642880e18829dd5f1bb900967c3a05476c07f875bfaa237a4ac25c6be29f5784
-
Filesize
2.6MB
MD581fa8f507b22bda8ed0cde8608536d22
SHA101734053db9e62f3478d7cb4b6a2c8f85da7b29e
SHA2566e2ab2da4f49a309a5780068f7ec000a45318fb3af23854ac8c417e9c0d4b1f6
SHA51214e1a0caae0825a127f583799b0373be987b6c31070e00ff13f41ca67fbd52b6b71404303c99f5013d6844726799a62c417dfa90cdc2f2a7aa2dccdcb3ab7e47
-
Filesize
1KB
MD5340f7d929ebbc3218c7c80bb773799de
SHA1d6246e1ec0a00c25283d12ca60108f6c8888bb1c
SHA256818c3b409a489f80f5ebc50338ea66ea8a4d90d3d35c4f41d37861dfdbd3da04
SHA512083198c6adc0b14dc6cc3ab9235450aa7ca3b49b5342949771d216f6cd2a82187f02665a803e9ad88064797b78aafdd1aac11f8da1442bfabb0ee72454841d56
-
Filesize
2.4MB
MD57288fa841bea76ca83489df7eafcffe4
SHA12ab384971a7e4d60a3dc84ba727779379abb06b4
SHA25673827a9be154cc1b7d695beebe67ac9d875c7069baf512dca6eb28d6090bdba2
SHA512b323e6fbdafdd098b94648b7d27d7008a96b90853de5315919106416e23148d922fba13e3f8c2ba857e7a2f6913f5bc8f8a3625b216f7eab11623d69188ce435
-
Filesize
30KB
MD52ab717edcfc55d3ec5c2c26db00ccaf6
SHA14c6aeca51011ebb8ceed6ab955e184f7bbb1dd1e
SHA256117949b2d79a0db89fa3cae4a003fd8c4dfe315b249d4fec3e624ab17a92ba79
SHA51216029d7e67f91c11d5e3c6bcbd9742b926674bf158a59dec98585ddb833dbca8e5f02b14ad10b1d613e962ab7a38fc6bfa0e6dd58a184b5ecac4b25e84078af9
-
Filesize
2.9MB
MD5aba3f025085150b0a5481349345c290b
SHA19872b69f6c4ece69de2eba82e0201d587ce2c661
SHA2561074caabe40da07f7b3737dc1338b68c767e9b8fd087230d650f7eb9da48d0ab
SHA5129db2470bab928bfc7cb3a56aec753b814af7dd88f62c7cc4765621c9040b7fc54eef211536ac01830357fdb77447c4d52cb062943dc01d335056802dc37007b2
-
Filesize
581KB
MD53d9465d5161ac2ab5a83265935514349
SHA15d40047faf2a166e6c25f106c244b5826bd0aad9
SHA25624d1f432632c971456e6db676f609772b98d0cf3d3a5450c78d3dbb75744399e
SHA5128d84de25fcb88ad6786de9f077612d356eed8726a50e9b6c44a3dff456ca8a160e0707cd1902b52e4890f97f4a5a72466ac149e71d1e790267141a6710ecc70d
-
Filesize
81KB
MD5b8766e71b537b000f020ae51284ab4cd
SHA14731f26cb74c8c2f6addea537dde860cd94321ac
SHA2567b0ad54180a2b6c4443a68c93309c1e4196e9baaeb0a6c58ca5b192ed0ce8615
SHA512b1e7d7dd971fd0fc8ce777ca0942add849f77de8a50a0ce4d117d18bee06dce4dd98622a4dbe44e11bc199646e388917255328191789c25f68f0809ee8eebc34
-
Filesize
2KB
MD5b792378cb2aea10976c3105a40682054
SHA186f17ad3859c50a1143ca1b34bd0488db072955b
SHA256c5c0e3c6a831591a2f880eedba19559e3247ef3bac4bee5be2a7cda3e42de41c
SHA512672ea1bcb8b78409d015f9b6ef1cc3c6db0d9c095a3cef9f15bc6bdeec3e770265996201cc7f07c8679058dcd3818c0b67bd892f669a031bd3f29aa023a5763d
-
Filesize
269KB
MD5872696973b682795ce08aaa146ec592c
SHA1d7b2f85e82d729500e89cd57fb33a8402ed8619c
SHA256cda4b46cd902560799fb15ba73f461743b113b95059c32d0c4dd4626312675cd
SHA512fca468bcd87d7738762170371c5491fb3999bbce7c0e3e0c833df7d30339956dc6ef92678c6b81e1fd6f87e09b42906b0807cae073c4dad2290331cfa9130dbd
-
Filesize
197KB
MD5519bfcee8788448f7afede8ed92d1368
SHA181326547e415281711cf5d26240ef288bf260a0e
SHA25636919fc389c74858e9497ca15a181f6b295a842edd78557b5f4efd36a0080c87
SHA5126a515c6f337997e0972f7d580ac025a6d3da32a44267610229dd47a10260640711270efd5afa080bcd17d13047e0a5337902368069806691d07b2acd77f1e483
-
C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.exe.WebView2\EBWebView\Default\Extension State\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
44KB
MD593402cc1d2e8a195a963fce311377a2b
SHA14e3b823b142f98527ff4611cb23c70bfa599bd39
SHA256a1b4a062523b9461b19db3a7a2eaffa093c018db9e1bff9bc2b910e02734f75f
SHA512db462fc624e0a9b3fffb0182c24d30389f951e6a8a46a578fca7125f11e33cced489a3eaa1b7db35bb975b32e3bb996fa296dcf1e491bcd3acb1f97c03eac4f6
-
Filesize
264KB
MD5aabcf0c28e69a6dcede53d6308353172
SHA132d5846fba676ae54511f6d72cf70b36300580fc
SHA25696d2810647658e1292acb5caa78945e8d5b65ba65844e37c33a5728e477760a4
SHA512f642078e42d4ced46df4cda281c1398e7b798ff90d530a9ac209e54b786f90fb9f7484c96f63f7dae78fa2616810c5285eb28661d90d3374c378a514c5ade863
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index
Filesize24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
Filesize
386B
MD5186a65581e2f29258f54d396660409fa
SHA16f998d3be2e85cb5419205f867135874f27c0a3a
SHA256e1e0974d0e8833375024eb7c78521b3b5cad4228aad22b23d506cbe702445844
SHA5127dea87b523aab01ea3c794779b71bc0b52179e1d5e7b9a45539ddd39c775969ef22853c4c193699aec1e3fa3cbe26e90e3a4881226c52a3aacae1eac260ff896
-
Filesize
162KB
MD50ad9319fa14d39c0812583337546ca20
SHA10a76b27dc44f46756984a7a5f93f9a9b024aedb5
SHA2561d963a02d8a7fa3e7eac2e936dad5559c4d63327f35b0a09787ffc1d58f9c18d
SHA51201bfb6516ea8d2347863fdf6de7ce1bc598d0798a7a388a0b4478a8be4bad66362185f366ed52adb19008f518c05fbaedf46268051bbf26e448e23b017af669f
-
Filesize
7B
MD5260ca9dd8a4577fc00b7bd5810298076
SHA153a5687cb26dc41f2ab4033e97e13adefd3740d6
SHA256aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
SHA51251e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
-
Filesize
2.9MB
MD5e98585e959567dccbbca136f31985860
SHA17fbd2fe1ab08a183e12bdbb4001991a0161d0a1f
SHA25675d6a27004712293186fcfc12119b369530254e57c6404115f7a5a9a05654ebe
SHA512a81a99dd6216cfdc4f09a02c47a7cb95128725596d46d04fb881a9495bf97a222dc3ad8b6d41a3688aac7a2742aff416a9cd47b6317a0827bfd6515b1ff7957d
-
Filesize
210B
MD5f86020a34ea663275ceef5f30e3a6bad
SHA1fc5357fc68cc380c6fb09b5ae129b388f556e679
SHA2560a350e1f413a67b6e78ed2e4835ab7153ababc5de3d444bdd3d693acaa79203f
SHA512192cef527518bc6f20db97c48f08c73b275fcd84d9298612ba4e6425a4d4a9f3269d87bf5cc12b6f0dab449b851ac83967fd0cf8173a3fb101eaed1d3789823e
-
Filesize
2.6MB
MD5063e87290df6398d2d211108927f048b
SHA1f1019198d2d851d868f053d46ec2b09be0c4c33e
SHA25635e7d70077918bbeac46a836cf2207cc2c19db39fef59af5bfd0eef74245e0a0
SHA512038b9eb7424cad5e23f5a0862c33b18d207c7ddfc666dde0e3c807b6ef63b371b46ce497a8abeb295e2b4a34a5c089eae52b754fdbf8258251422fc29bd99ed5
-
Filesize
2.6MB
MD52e603d0c8dc89ccb2700e0d87716cf67
SHA180da23c1f8fa606690941b1c3c56a9687a16f168
SHA256379634a7d77b0fe012a8962cd133e6b614056bdb4bc0e7df1d7504b3df2a18a2
SHA51257f867ab5b53c6ce0821d0882d0883ee6c57ccad571fb5f550600ae27f70e55599035b3ba8da7890bceed3da8d1bc209a4e57529f49297021b68eafaa2a30d52
-
Filesize
2.6MB
MD54c1ec492248a7c56ae467fff49c38980
SHA1619c221be4cd22cf729e275f4be58bd9ff5b1db9
SHA2563faad1de215ddf652ad826261c3a7550b9eba8b4e86ffb0c90fbb40f6d1a31f4
SHA5123b0e2dff5bedc570bc349f01c879db19497f1933c9cc9092d96372eca1e5dd02fa424cd18cccb8c71f5a7617b894bf6e37e89522aad0833c70fa10ace31801ea